Conficker: Don’t Believe the Hype

You may have heard about Conficker, the rogue computer program that might do something dreadful on April 1. The truth is that the threat posed by Conficker is almost entirely theoretical, and that only a handful of dedicated professionals will notice anything out of the ordinary when that date comes around.

Conficker is the latest example of a type of malware called a botnet, which gives a cybercriminal control over an infected computer. The criminal can steal information stored on the computer or make it do things like send spam emails. In some cases, criminals amass millions of computers to command.

Researchers estimate that a couple million computers could be infected with Conficker, which makes it a large botnet, but not the largest. What sets Conficker apart is that it’s more sophisticated than any previous piece of malware. It uses a new form of cryptography, can be controlled by criminals in multiple ways, and updates itself. This scares security researchers. So does the fact that the bad guys haven’t done anything with the computers they control yet, which means they could do, well, anything.

Conficker periodically seeks new instructions from its master, and the first day of April is the next scheduled update. At that point it could receive instructions to steal information or try to launch some sort of Internet crippling attack. But there’s no evidence that anything like that will happen.

“I don’t see anything on April 1 that will cause any significant havoc,” says Phil Porras, a researcher at SRI, and one of the people trying stop Conficker. The most likely outcome is that the day will pass and no one will have noticed anything.

Conficker is grabbing headlines because Microsoft offered a $250,000 bounty to anyone providing information leading to the arrest and conviction of the people responsible for the malicious code. Plus the fact that it hasn’t been used for anything yet gives it an air of mystery — most botnets are used to send emails pushing Viagra. Journalists and tech companies looking for attention are willing to project onto Conficker whatever they think sells. And in the tech security world, that’s too often gloom and doom stories.

It’s certainly better not to have your computer infected with Conficker — and anyone using a computer with up-to-date anti-virus software is reasonably safe. But Conficker isn’t the digital Pearl Harbor some have made it out to be.

“There is an amazing amount of crying wolf about the wrong things,” says Rodney Joffe, senior vice president at NeuStar, a technology clearinghouse, and another one of the self-appointed Internet defenders. “There is no indication that anything will happen.”